Ask Wireshark - RSS feedhttps://ask.wireshark.org/questions/Wireshark questions and answersenCopyright Wireshark Foundation, 2017-2019Fri, 19 Jan 2018 04:37:10 +0000Help to set up a "pass through bridge" snifferhttps://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/I would like to do the following scenario:
- A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)
- I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.
- Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.
- There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.
This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.
Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.
Thank you for any help and advice.Thu, 28 Dec 2017 04:11:24 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/Comment by wiresharkuser754372570 for <p>I would like to do the following scenario:</p>
<ul>
<li><p>A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)</p></li>
<li><p>I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.</p></li>
<li><p>Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.</p></li>
<li><p>There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.</p></li>
</ul>
<p>This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.</p>
<p>Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.</p>
<p>Thank you for any help and advice.</p>
https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1096#post-id-1096Thanks. I might try it with Linux also.Mon, 01 Jan 2018 22:43:38 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1096#post-id-1096Comment by Uli for <p>I would like to do the following scenario:</p>
<ul>
<li><p>A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)</p></li>
<li><p>I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.</p></li>
<li><p>Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.</p></li>
<li><p>There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.</p></li>
</ul>
<p>This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.</p>
<p>Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.</p>
<p>Thank you for any help and advice.</p>
https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1078#post-id-1078Yes, I know you asked for "Windows", but you can do this easily with Linux with [brctl](http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html).
You can run a Live Linux (such as Kali) on your laptop, set up the bridge and run Wireshark to capture the traffic passing the bridge.Thu, 28 Dec 2017 14:52:01 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1078#post-id-1078Answer by wiresharkuser754372570 for <p>I would like to do the following scenario:</p>
<ul>
<li><p>A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)</p></li>
<li><p>I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.</p></li>
<li><p>Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.</p></li>
<li><p>There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.</p></li>
</ul>
<p>This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.</p>
<p>Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.</p>
<p>Thank you for any help and advice.</p>
https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?answer=1319#post-id-1319It worked.
I used a crossover CAT6 cable from the other computer to the Wireshark laptop.
I tried Bridge Connections but it didn't work. DHCP from the "Ethernet port 2" side (outside the Wireshark laptop) addressed both the Wireshark laptop and the other computer, but network transactions from either computer wouldn't work.
Instead, I used Internet Connection Sharing in Windows 10. This sets up an additional DHCP server to address the other computer.
When installing Wireshark, I selected all additional packages such as WinPCap. Once in Wireshark I selected the network interface associated with the other computer. It was named "Ethernet". This started real-time network monitoring.
Once in the data capture view the useful information was the IP and HTTP (application) layers. I could see IP layer transactions to see the destination IP addresses, and HTTP (non-HTTPS) showed me actual HTTP data. Without being able to decrypt encrypted application layer protocols, that may be the most that I can get out of this technique for detecting malware. Destination IP address is very useful, though.
Thank you for everyone's suggestions!Fri, 19 Jan 2018 04:37:10 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?answer=1319#post-id-1319Answer by sindy for <p>I would like to do the following scenario:</p>
<ul>
<li><p>A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)</p></li>
<li><p>I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.</p></li>
<li><p>Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.</p></li>
<li><p>There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.</p></li>
</ul>
<p>This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.</p>
<p>Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.</p>
<p>Thank you for any help and advice.</p>
https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?answer=1082#post-id-1082While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:
- most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
- right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings"
- once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' language, it should open the "Win7-like" window
- in the left column, click "change adapter settings", a new window with a list of all network cards opens
- in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
- now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.
In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).
The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.
The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.
Something is telling me that the MAC address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).
There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.Thu, 28 Dec 2017 16:49:18 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?answer=1082#post-id-1082Comment by wiresharkuser754372570 for <p>While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:</p>
<ul>
<li>most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged</li>
<li>right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings"</li>
<li>once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' language, it should open the "Win7-like" window</li>
<li>in the left column, click "change adapter settings", a new window with a list of all network cards opens</li>
<li>in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one</li>
<li>now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.</li>
</ul>
<p>In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).</p>
<p>The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.</p>
<p>The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.</p>
<p>Something is telling me that the MAC address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).</p>
<p>There is one significant advantage of the suggestion of <a href="/users/126/uli/">@Uli</a> - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.</p>
https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1097#post-id-1097Thanks for so many details. I'll get back to this thread after I try it, which may take some time. About your malware point, the possibly "infected" host is actually running Linux.Mon, 01 Jan 2018 22:45:36 +0000https://ask.wireshark.org/question/1073/help-to-set-up-a-pass-through-bridge-sniffer/?comment=1097#post-id-1097